The U.S. Chamber of Commerce is urging federal banking regulators to avoid imposing “prescriptive cybersecurity standards” on the financial sector and instead support such entities adopting a “risk-based” approach to address their unique threats.
In its Jan. 18 comment letter, Chamber told the Federal Reserve Board, the Federal Deposit Insurance Corp. and the Office of the Comptroller of the Currency that imposing prescriptive cybersecurity standards on financial sector entities “would lead to standards that may become rapidly obsolete, an emphasis on compliance rather than security, and the potential undermining of existing public-private collaboration to mitigate cyber threats.”
The three agencies issued proposed joint standards last October that would apply to depository institutions and depository institution holding companies with assets of $50 billion or more, U.S. operations of foreign banking organizations with U.S. assets of $50 billion or more, and financial market infrastructure companies and nonbank financial companies supervised by the Federal Reserve.
The enhanced standards would not apply to community banks. Comments were due by Jan. 17.
The Chamber noted in its comment letter that while the agencies “have identified cybersecurity measures that may make sense for some financial institutions,” the Chamber is “concerned that we face a possible tipping point in the wrong direction in the financial services industry.”
The agencies’ proposed Enhanced Cyber Risk Management Standards “comes in the context of a misguided rulemaking by the New York State Department of Financial Services and a request for comment by the Federal Trade Commission on possible amendments to the Safeguards Rule,” the Chamber wrote, urging the agencies “not to create momentum for an effort to regulate away cyber risk. Such an approach would be a mistake: there is no regulatory silver bullet for cybersecurity.”
Chamber told the agencies to support the collaborative approach of the government and the private sector working together to enhance the nation’s cybersecurity, and “not drive the financial services industry to a compliance-based approach to cybersecurity built around static checklists.”
A better approach is for the agencies to build on the successes the financial sector has had in developing cyber controls “and further empower the initiative, capability, and momentum of the industry going forward,” the Chamber wrote.
“The financial sector’s work on cybersecurity is ongoing: Financial institutions and related entities continue to work hard to strengthen their cyber risk management programs. Many of these efforts began organically and have thrived as collaborative, consensus-based efforts.”
Agencies should also focus, both in this process and more broadly, on eliminating regulatory duplication and harmonizing cybersecurity standards under a risk-based approach, including Cybersecurity Framework issued by the National Institute of Standards and Technology (NIST), the Chamber wrote.
Moreover, the Chamber “would urge the agencies to ensure that any final product is clear and readily understandable by covered entities.”